Request a Personalized Demo of Darwin Attack®
Build Resilience Against
Human-Targeted Cyber Attacks
Vulnerability tests and penetration tests are mostly designed to assess the security of your technology-based security controls. An effective social engineering test does include some technology assessment, but mostly addresses your human controls – policy, procedures, training, and awareness. Since most studies agree that over 95% of all cyberattacks include some facet of social engineering, this is definitely an underappreciated focus.
Social engineering seeks to take advantage of people who have access within your environment, trying to trick them into taking an action that benefits the attacker. This includes actions such as opening a hostile email, installing a Trojan-horse or other malware, or even providing sensitive information over the telephone. Human controls, should, however, also be supported by technical controls – like filtering email, or blocking hostile attachments and links.
Our social engineering assessments help provide full-coverage security for clients. Offered by themselves, or in concert with complimentary services, it helps you understand how well you are doing at enabling your employees to support the most secure operations they are able. Not only does a social engineering assessment includes an engagement-specific report, but our security professionals also update the Darwin Attack® portal with key findings. This means you don’t need to wait for the report to start remediation. You can start fixes immediately, making the best use of the information in our collaboration portal.
Our Social Engineering Assessment Solutions
Vulnerability test and penetration tests are mostly designed to assess the security of your technology-based security controls. An effective social engineering test does include some technology assessment, but mostly addresses your human controls – policy, procedures, training, and awareness. Since most studies agree that over 95% of all cyberattacks include some facet of social engineering, this is definitely an underappreciated focus.
- Scoping the test to ensure we have well-defined testing goals and rules of engagement. Agree on the targeted staff, systems, and applications.
- Reconnaissance of the public face of your organization (including social media) to determine potentially interesting details and targets, including targeted systems or applications, as well as both general and specific users.
- Assessment of your staff by exercising the appropriate service offerings. Include results of related testing to maximize test efficiency and effectiveness.
- Report on the results of the engagement.
Depending on the exact social engineering services engaged, this can include actions such as:
- Email-phishing - Send both customized and spam-type emails to selected staff in attempts to extract information. This can include requests for both specific and general information by email, and includes spoofed email to hide the origin of the email and to pretend to be other internal staff. Include attachments to test if potentially hostile attachments are blocked with technology and if any attachments that reach end-users are ignored or opened. Also Include emails with shortened URLs, and potentially hostile links.
- SMS-phishing – Send selected staff text messages with fake information (such as “call back” numbers), potentially hostile attachments, links, and shortened URLs, and evaluate if users follow links or call provided phone numbers. This will include using spoofed phone numbers to pretend to be other internal staff, or authorized two-factor authentication providers.
- Physical intrusion – Attempt physical access to targeted facilities. This can include bypassing or avoiding physical access protections by methods including tailgating, or by alternate entry (such as entrance via loading dock, outdoor eating area, or smoker’s area. This can include disabling locks or alarms by non-damaging means, and may include dumpster diving.
Regardless of the specific engagement, the processes and results of social engineering tests are not always clear – it can be difficult to truly appreciate the impact of negative results. As a result, Evolve Security is committed to ensuring that the results and impacts are as clear and concise as possible through a social engineering briefing, that discusses the results with your appropriate staff – not a one-way briefing, but a conversation about the results to ensure we both understand the impact.
Modernize Your Social Engineering Approach
Many penetration test companies do not offer full social engineering assessment services. Penetration test vendors are more focused on the automated technical testing. Those who do perform social engineering often rely on tools and limit the customized portions of the testing, making such tests more “cookie cutter.”
Evolve Security is dedicated to making all social engineering engagements focused on your specific concerns and your staff and environment. Our social engineering assessments are highly customized to your, and focus on the specific users, systems, and applications that are important to your business operations. The goal of our social engineering testing is to enable you to improve your operational security, improving your control over your operations, and thus increasing both security and reliability.
During social engineering engagements, our security professionals enter findings, such as identified issues and potentially exploitable findings (like passwords, or other sensitive details), directly into our Darwin Attack® portal. We update the portal in a near-real-time basis, not at the end of the test. Providing you access to the same portal used by our testers and security professionals helps maximize the efficiency and effectiveness of your entire testing, remediation, and management process. You get to being remediation, including testing and internal communications earlier, speeding up your remediation process.
Our Social Engineering Assessments Continue to Evolve
Social engineering tends to be a highly customized offering, highly dependent on the specific organization. Tools and automation play a significant part in testing, and Evolve Security constantly updates tools sets to help ensure that we are using the best tools available for the given engagement. Our team of security professionals constantly monitors developments in social engineering standards, and update processes and standards as appropriate. We also hold regular project review sessions and update our internal standards to help ensure we are assessing to at least standards of good business practice, based on the practices of current clients. Every engagement includes review of our own benchmarks to help ensure that we are assessing to the most appropriate set of controls.